Which step in the incident response process researches an attacking host through logs in a SIEM?
The step in the incident response process that researches an attacking host through logs in a SIEM (Security Information and Event Management) is the detection and analysis phase, option A.
The detection and analysis phase is the first step in the incident response process, which involves identifying the occurrence of an incident and analyzing its impact on the organization. During this phase, the security team analyzes the information gathered from various sources, such as security logs, network traffic, and system logs, to determine the nature of the incident.
In this particular case, the security team will research an attacking host by examining the logs collected by the SIEM. SIEM is a security management system that gathers and analyzes security-related data from different sources across an organization's network. SIEM collects, aggregates, and correlates logs from various devices such as firewalls, routers, switches, servers, and applications. The logs can then be analyzed to identify security incidents and provide a clear understanding of what happened.
By examining the logs in the SIEM, the security team can determine the source and the type of attack, the extent of the damage, and the potential risks to the organization's network. They can also identify the systems that have been affected and the type of data that may have been compromised. This information is essential in deciding the appropriate action to take in containing and eradicating the incident.
In conclusion, the detection and analysis phase is the step in the incident response process that researches an attacking host through logs in a SIEM.